Monday, 1 March 2010

Windows HLP files: Still Bad

I often get asked about why Microsoft removed support for Windows Help (HLP) files under Windows Vista and Windows 7.  I mean how bad can some application documentation be right?

Well, it's not the content, it's the format. The WINHELP.EXE engine formats the HLP documentation files into a early form of HTML that can load some forms of executable content. This feature makes this file format particularly prone to a large number of security exploits.

To add some weight to this argument, Microsoft has added a security warning for a recent security vulnerability involving WINHLP (HLP) files which can be found here:

http://blogs.technet.com/msrc/archive/2010/02/28/investigating-a-new-win32hlp-and-internet-explorer-issue.aspx

Specifically, the issue raised by the Microsoft security team is;
"The issue in question involves the use of VBScript and Windows Help files in Internet Explorer. Windows Help files are included in a long list of what we refer to as “unsafe file types”. These are file types that are designed to invoke automatic actions during normal use of the files. While they can be very valuable productivity tools, they can also be used by attackers to try and compromise a system"
To find out more about these Microsoft executable file formats,  you may want to read the following Microsoft White paper found here:

Understanding Executable Content in Microsoft Products:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=b7d03027-9791-443b-8bbe-0542b3aa4bfe

No comments: